@thomasfuchs Note that this isn’t different from other social networks, though in that case it’s employees of the company the social network is operated by that can read your private messages. Some end-to-end secure solutions include Telegram, Signal and iMessage (to a degree).

@thinkMoult@thomasfuchs@freemo I'll echo this but warn against Signal for now. I want to trust it but they are doing some fishy stuff regarding telling people to use the Play store to get the app, even after self-hosting it.

@mkb@thinkMoult@thomasfuchs@freemo It's not that Signal would be deliberately sabotaging anything. I don't think intent factors into bad cybSec. The chain of trust is instantly broken the moment I have to use Play to install it, since it's a blackbox. Google has been known before to acquiesce to bad actor demands (NSA).

However, the phone verification is a sticking point for me by itself. That's a window into my meatspace ID that I'm not sure most should be too comfortable with.#security

Yeah, for many threat models phone numbers don’t work well as a primary identifier.

If you find you absolutely have to use Signal at some point, it does work to set up a Google voice number and use that instead. I did this on an old Android phone with no SIM. I’d expect the same to work with a throwaway number from Burner.

Telegram’s encryption is off by default and must be explicitly enabled.

Also, if your threat model includes state actors then know that the people who created Telegram’s protocol aren’t cryptographers. Cryptographers who have evaluated the protocol generally view it as subpar.

Keybase also has end-to-end encrypted messaging though I haven’t seen their protocol assessed.

@thomasfuchs it would be amazing to see some of the techniques applied in SSB, Briar, and others applied here; thanks to the pliable nature of the protocol, it's definitely possible to add secure end-to-end encryption for PMs and DMs here.

@thomasfuchs Isn't it the default for all social networks? I don't know any social network which offers end-to-end encrypted direct messages. The most likely alternative most people will chose is email which can be end-to-end encrypted but most likely won't be.

@thomasfuchs it happens so often to me that I reply to a toot just to notice afterwards that someone else already replied something similar because there is no indicator in the timeline that there are already replies... 😕

@thomasfuchs I mean, I use it sometimes, but only as a way to say something 'quietly'. Like, I don't really mind if people know what I said but it's not of interest to anyone more than a couple of people so I just don't shove it in their timelines.

@thomasfuchs note: this is true for all websites, including Twitter and Facebook. the only truly secure way of transmitting private information is through E2E-encrypted services like Enigmail, Telegram, WhatsApp, etc. and even then there is contention over it.